System and method to provide 911 access in voice over internet protocol systems without compromising network security

ABSTRACT

A system and method to provide emergency call access in Voice over Internet Protocol (VoIP) systems without compromising network security. The system and method enables VoIP emergency signal detection at a user device, and transmission of the VoIP emergency signal from the user node to a network server node through the use of data encapsulation and decapsulation (or “tunneling”), allowing VoIP data routing via an IP transport layer regardless of access or network security restrictions.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to a system and method for emergency access in Voice over Internet Protocol systems (VoIP), allowing limited communication connections when access is not otherwise authorized. Specifically, the present invention relates to a system and method for recognizing 911 emergency call requests and establishing and controlling a limited connection between the requesting device and server.

2. Description of the Related Art

A predominant goal of 911 access is the ubiquitous availability to emergency services. For both existing wired and wireless telephony services, 911 access is mandated from any device that has access to service, regardless of the user's subscription status or service restrictions.

For a wired telephone, when there is dial-tone present the network must permit a 911 call to be made. In the case of wireless telephones, if the handset can “see” the wireless system, the system must permit the handset to generate a 911 call. Both of these situations result as both networks can readily detect a request for a 911 call or a location specific Enhanced 911 (E911) call.

For Voice over Internet Protocol services (VoIP), providing 911 access without regard for service status is much more difficult. As can be appreciated by one skilled in the art, Voice over Internet Protocol is a communication technique for transmitting ordinary telephone calls over the Internet using packet-linked routes. A VoIP system captures, packetizes, and transports telephone conversations over a network, such as the Internet, which was originally designed to transport computer-generated data. However, because services such as VoIP are packet-based and use a layered protocol, VoIP communication systems require a software application on the device, such as a personal computer, to enable the device to make a call, and an IP services layer at the network to transport the call. The VoIP application can use one of several different signaling protocols, such as H.323, SIP, or Megaco, to initiate a 911 call and, as a consequence, a request for a 911 call may become embedded in a high-level protocol, which is not easily detected by the IP transport layer.

In providing 911 access, a VoIP client and IP services are assumed to be available and usable at the user device. Any additional capabilities required by the 911 service, such as user identification or caller location for enhanced 911 service (E911), are assumed to be provided by the VoIP client. Further details regarding E911 caller location services are set forth in IETF document entitled “Providing Emergency Call Services For SIP-Based Internet Telephony”, Jul. 13, 2000, the entire content being incorporated herein by reference.

The initial identification of 911 calls at a user device may involve the use of a special key on the user device, indicating a 911 call when pressed, or a predetermined key sequence, indicating a 911 call. Further details regarding identifying 911 calls at a user device are described in U.S. Pat. No. 6,073,005 entitled “Systems and Methods For Identifying Emergency Calls In Radio Communication Systems”, issued Jun. 6, 2000, the entire content being incorporated herein by reference.

Once a VoIP system 911 call is successfully initiated, existing call switching mechanisms can be used to complete the call. In most cases, a 911 call is merely switched from the IP network to a PSTN network for completion. Details regarding switching VoIP system 911 calls to PSTN networks are described in U.S. Pat. No. 6,363,065 entitled “Apparatus For A Voice Over IP (VoIP) Telephony Gateway And Methods For Use Therein”, issued Mar. 26, 2002, the entire content being incorporated herein by reference.

Providing VoIP system 911 call access without regard for service status may require bypassing multiple layers of security and access control in the network. For example, a device may have physical access to a network, such as a LAN, WAN or wireless system, but may not be authorized for IP services over the connection. Even if the device does have IP services available, it may not be authorized for access to the requested VoIP services or equipment. Arbitrary bypasses to security and access controls can be made to allow access, however, this can expose the network to theft of services or other potential attacks.

Accordingly, a need exists for a system and method for 911 access in Voice over IP systems in which 911 call requests are detected and restriction controls may be bypassed without compromising network security.

SUMMARY OF THE INVENTION

An object of the present invention is to provide a system and method for detection of a 911 call request from a user device by IP transport layers, regardless of high level signaling protocols used by the device.

Another object of the present invention is to provide a system and method for establishing a limited connection between a 911 call requesting user device and a network server, allowing IP traffic between the device and server while bypassing network security and access restrictions without compromising network security.

A further object of the present invention is to provide a system and method of control over a limited connection made between a 911 call requesting user device and a network server.

These and other objects are substantially achieved by providing a system and method of 911 access where upon the initiation and detection of a request for a 911 call to the network server, the network server establishes a limited connection with the requesting user device. To achieve this, the network layer at the requesting user device detects the 911 call request and initiates a request to a network server for a 911 call. The network server determines whether any special handling is required, and if so, establishes and controls an IP tunnel to the requesting device.

BRIEF DESCRIPTION OF THE DRAWINGS

These and other objects, features and characteristics of the present invention will become more apparent to those skilled in the art from a study of the following detailed description in conjunction with the appended claims and drawings, all of which form a part of this specification. In the drawings:

FIG. 1 is a block diagram of an example of an ad-hoc wireless communications network including a plurality of nodes employing an embodiment of the present invention;

FIG. 2 is a block diagram of an example of a wireless node as shown in FIG. 1; and

FIG. 3 is a block diagram of an example of the manner in which 911 access between nodes is performed in accordance with an embodiment of the present invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

FIG. 1 is a block diagram illustrating an example of an ad-hoc packet-switched wireless communications network 100 employing an embodiment of the present invention. FIGS. 1 and 2 illustrate an implementation of one embodiment of the present invention using a wireless ad-hoc network configuration, and are not intended to limit the application of the present invention to ad-hoc networks or wireless devices. Additional embodiments of the present invention may be implemented in a wide range of network configurations, such as wired local area networks and associated devices in the manner described below.

In the embodiment shown in FIG. 1, the network 100 includes a plurality of mobile wireless user terminals 102-1 through 102-n (referred to generally as nodes or mobile nodes 102), and a fixed network 104 having a plurality of access points 106-1, 106-2, . . . 106-n (referred to generally as nodes or access points 106), for providing the nodes 102 with access to the fixed network 104. The fixed network 104 includes, for example, a core local access network (LAN), and a plurality of servers and gateway routers, to provide the nodes 102 with access to other networks, such as other ad-hoc networks, the public switched telephone network (PSTN) and the Internet. The network 100 further includes a plurality of fixed routers 107-1 through 107-n (referred to generally as nodes or fixed routers 107) for routing data packets between other nodes 102, 106 or 107. As stated above, additional embodiments of the present invention may be implemented using other network configurations, such as wired local area networks.

As can be appreciated by one skilled in the art, the nodes 102, 106 and 107 are capable of communicating with each other directly, or via one or more other nodes 102, 106 or 107 operating as a router or routers for data packets being sent between nodes, as described in U.S. Pat. No. 5,943,322 entitled “Communications Method For A Code Division Multiple Access System Without A Base Station”, issued Aug. 24, 1999, the entire content being incorporated herein by reference. Further details of these types of ad-hoc networks are described in U.S. Pat. No. 7,072,650 entitled “Ad Hoc Peer-to-Peer Mobile Radio Access System Interfaced to the PSTN and Cellular Networks”, issued on Jul. 4, 2006, and in U.S. Pat. No. 6,807,165 entitled “Time Division Protocol for an Ad-Hoc, Peer-to-Peer Radio Network Having Coordinating Channel Access to Shared Parallel Data Channels with Separate Reservation Channel”, issued on Oct. 19, 2004, the entire content of both applications being incorporated herein by reference.

Specifically, as shown in FIG. 2, each node 102, 106 and 107 includes a transceiver 108 which is coupled to an antenna 110 and is capable of receiving and transmitting signals, such as packetized data signals, to and from the node 102, 106 or 107, under the control of a controller 112. The packetized data signals can include, for example, voice, data or multimedia information. The nodes described above are generally adapted for use in wireless networks, however other node configurations may be used in additional embodiments of the present invention when different network configurations, such as wired local area networks, are used to implement the present invention.

Each node 102, 106 and 107 further includes a memory 114, such as a random access memory (RAM), that is capable of storing, among other things, routing information pertaining to itself and other nodes 102, 106 or 107 in the network 100. The nodes 102, 106 and 107 exchange their respective routing information, referred to as routing advertisements or routing table information, with each other periodically via a broadcasting mechanism, for example, when a new node 102 enters the network 100, or when existing nodes 102 in the network 100 move.

As further shown in FIG. 2, certain nodes, especially mobile nodes 102, can include a host 116 which may consist of any number of devices, such as a notebook computer terminal, mobile data unit, or any other suitable device. As may be appreciated by one skilled in the art, the majority of VoIP calls are made using a personal computer as a host 116, however any device capable of this purpose may be used. Each node 102, 106 and 107 also includes the appropriate hardware and software to provide Internet Protocol (IP) support, the purposes of which can be readily appreciated by one skilled in the art.

FIG. 3 illustrates an example of the manner in which 911 access between nodes is performed in accordance with an embodiment of the present invention. As shown in FIG. 3, each subscriber or user node 102, contains a software application 118 which may be used by the user to initiate a request for an emergency call, such as a 911 or E911 call. The server node 124 may consist of either an access point 106 or fixed network 104 as shown in FIG. 1. Call initiation at the unit 102 may be achieved using a dedicated emergency call button, or using a sequence of activated buttons.

As shown in FIG. 3, a local network layer 120 detects the emergency call request at the node 102 and initiates a request for a 911 call to a network server node 124. The server node 124 upon detection of the emergency call request, establishes a limited connection with the requesting node 102, allowing the server node to safely bypass security and access mechanisms in place while allowing the service or transport layer 122 to block any unauthorized traffic between the user node 102 and the server node 124.

As stated in the Background section, Voice over Internet Protocol is a technique for transmitting calls over the Internet using packet-linked routes and layered protocols. In FIG. 3, node 102 includes a software application 118 to enable the device to make an emergency call, and an IP service or transport layer 122 at the network to transport the call, however the request for an emergency call may become embedded in a high-level protocols at the local network layer 120, which are not easily detected by the IP transport layer 122. Additionally, security and access control at each layer 120 and 122 may restrict access to the server node 124 by the user node 102.

In the embodiment of the present invention shown in FIG. 3, when a user node 102 requests an emergency call, the network layer 120 at node 102 first detects that node 102 is requesting an emergency call to a server node. Network layer 120 can detect such emergency call requests from node 102 in a number of manners, including specific requests from the VoIP application at node 102 to the local network layer, or through network layer snooping within packets from node 102 for emergency call requests.

Upon detection of an emergency call request at node 102, local network layer 120 then initiates a request to a network server node 124 to allow completion of the call. The network server node 124 can be located by the local network layer 120 at either some well-known address, or discovered via a broadcast mechanism by the requesting node 102. As can be appreciated by one skilled in the art, numerous methods exist to identify an appropriate Public Safety Answer Point (PSAP) for an emergency call, and these same mechanisms can be applied to discover the appropriate server node to which the emergency call from node 102 should be directed.

A specific function of server node 124 is the determination of special handling requirements to allow the emergency call from the user node 102 when a request for a call is received from the local network layer 120. As shown in FIG. 3, the local network layer 120 detects an emergency call request from node 102 and initiates a request to server node 124. However, security and access controls at each layer 120 and 122 may restrict access to the server node 124 by the user node 102. When the server node 124 detects a request for an emergency call, the server node determines if special handling is required to allow the call from node 102 due to restrictions or controls at either 120 or 122. Special handling of an emergency call from node 102 may be required if, for example, node 102 is not authorized for access to the requested VoIP services or equipment of the server 124.

If special handling is required, such as bypassing security or access controls, server node 124 establishes an IP “tunnel” to the requesting user node 102 allowing the required IP traffic between the user node 102 and the server node 124, during which, the server node 124 controls the IP tunnel to prevent a compromised local network layer from gaining unauthorized network access. As can be appreciated by one skilled in the art, “tunneling” is a technique which allows a network to send its data via another network's connections. Tunneling is achieved by encapsulating a first network protocol within packets carried by a second network, and is therefore often referred to as encapsulation. The original packet is encapsulated inside a new packet which provides routing information allowing the packet to travel through internetworks, as directed by an encapsulation header, which may otherwise be restricted. Once the encapsulated packet arrives, the encapsulation header is removed and the original packet is routed to its final destination. Further details regarding IP Tunneling and Encapsulation are set forth in RFC 1853 entitled “IP In IP Tunneling”, October 1995, and in RFC 2003 entitled “IP Encapsulation Within IP”, October 1996, the entire content of each being incorporated herein by reference.

The direct path taken by the encapsulated data is called a “tunnel” and also serves to restrict incorrectly directed data. Where special handling is required in FIG. 3, the emergency call traffic from the VoIP client user node 102 is encapsulated by the local network layer at 120. Once encapsulated, the encapsulation header provides instructions, routing the emergency call through service layer 122 to the network server node 124, avoiding layer restrictions which may otherwise have blocked the call. When the emergency call is received at server node 124, the node removes the encapsulation from the emergency call traffic and may either forward the VoIP packets to the destination indicated by the header or provide emergency VoIP services directly.

The tunnel established between nodes 102 and 124 in FIG. 3 allows bypassing transport layer restrictions while maintaining network security levels. During periods when a communication tunnel is established between nodes 102 and 124, the service layer 122 continues to block unauthorized traffic from the user node 102 by permitting only traffic having encapsulation headers routing communications to the server node 124. The network server node 124 blocks any unauthorized traffic through the tunnel by permitting only emergency calls which are to be either handled at the server node 124 or routed to a final destination providing emergency call service. Any attempts by the user node 102 to send data packets to any address other than node 124 via the service network layer 122 is blocked by normal network security mechanisms. The service layer 122 between user node 102 and server node 124 will only bypass security for communication traffic to the server node 124. All other traffic from the user node will remain blocked, preventing traffic from going anywhere but between the user device and the server, unless the server node 124 forwards the traffic to another location. In such a case, the server node can act as either a proxy, or relay, for VoIP packets from the requesting user node, or provide emergency call VoIP services directly.

Although only a few exemplary embodiments of the present invention have been described in detail above, those skilled in the art will readily appreciate that many modifications are possible in the exemplary embodiments without materially departing from the novel teachings and advantages of this invention. Accordingly, all such modifications are intended to be included within the scope of this invention as defined in the following claims. 

1. A method of providing emergency access in a communication network, wherein the communication network includes one or more communication restrictions, the method comprising: at a first node: detecting an emergency call VoIP signal prior to normal IP security; and sending a request for an emergency call connection via an IP transport layer, said transport layer including communication restrictions; and at a second node: receiving said request; establishing a limited emergency call connection with said first node via said IP transport layer, said limited connection bypassing said normal IP security including said communication restrictions; allowing transmission of said emergency call VoIP signal from said first node to said second node, and blocking all other communications within said limited connection.
 2. A method as claimed in claim 1, further comprising at said first node: detecting at a local network layer a specific request for an emergency call VoIP signal.
 3. A method as claimed in claim 1, further comprising at said first node: detecting at a local network layer an emergency call VoIP signal by snooping within received packets.
 4. A method as claimed in claim 1, further comprising at said first node: locating said second node via a broadcasting mechanism.
 5. A method as claimed in claim 1, wherein said establishing said limited emergency call connection between said first and second nodes comprises tunneling said emergency call VoIP signal from said first node to said second node via said secured IP transport layer.
 6. A method as claimed in claim 1, further comprising at said second node: functioning as a proxy relay for said emergency call VoIP signal.
 7. A method as claimed in claim 1, further comprising at said second node: providing emergency call VoIP signal service.
 8. A method as claimed in claim 1, wherein said network includes a wireless ad-hoc network which includes said local network layer and said secured IP transport layer.
 9. A system for allowing emergency call access in a communication network, wherein said communication includes one or more communication restrictions, the system, comprising: a user node comprising: a user node software application for initiating an emergency call using a VoIP application prior to normal IP security, a local network layer coupled to the user node software application for sending a request for an emergency call connection to a network server node via an IP transport layer, said transport layer including communication restrictions between said user node and said network server node; and said network server node comprising: a means for receiving said request, and in response, establishing a limited emergency call connection between said user node and said network server node via said IP transport layer, said limited connection bypassing said normal IP security including said communication restrictions, allowing transmission of said emergency call VoIP signal while blocking all other communications within said limited connection from said user node to said network server node.
 10. A system as claimed in claim 9, wherein said local network layer sends said request in response to detecting a specific request for said emergency call VoIP signal.
 11. A system as claimed in claim 9, wherein said local network layer snoops within one or more received packets to detect an emergency call VoIP signal.
 12. A system as claimed in claim 9, wherein said local network layer locates said network server node via a broadcasting mechanism.
 13. A system as claimed in claim 9, wherein said network server node establishes a limited emergency call connection with said user node by tunneling said emergency call VoIP signal from said user node to said network server node via said secured IP transport layer.
 14. A system as claimed in claim 9, wherein said network server node further comprises a proxy relay for said emergency call VoIP signal.
 15. A system as claimed in claim 9, wherein said network server node further provides emergency call VoIP signal.
 16. A system as claimed in claim 9, wherein said network includes a wireless ad-hoc network which includes said local network layer and said secured IP transport layer. 